Idm Workshop
60
-
Upload
mohamed-atef -
Category
Documents
-
view
3.500 -
download
0
Transcript of Idm Workshop
Why Oracle Identity and Access Management? Oracle Identity and Access Management is
fundamentally about securing access to your organization’s information assets from within the enterprise.
At it’s core this represents the efficient management of typically thousands of user accounts across hundreds of applications, from the time user accounts are created to through their complete lifecycle including role changes and termination
Oracle Identity Manager
What is Oracle Identity Manager ?
Oracle Identity Manager is an application that handles and selectively automates tasks that manage a user’s access privileges. Such tasks include: Creating access privileges to resources for
users Modifying these privileges dynamically based
on changes to user and business requirements Removing these access privileges from users
Oracle Identity Manager Architecture
The architecture for Oracle Identity Manager: Is based on a Java 2 Enterprise Edition (J2EE)
environment Separates the platform’s Presentation, Server,
andData & Enterprise Integration tiers
Enables the creation of n levels of layers
Oracle Identity Manager Architecture: Tiers The Oracle Identity Manager architecture has
three tiers:
Presentation tier Server tier Data & Enterprise Integration tier
Tier 1: Presentation Tier
The Presentation tier of Oracle Identity Manager has two layers: Presentation layer
Two consoles for Oracle Identity Manager: Administrative Console and Design Console
Dynamic Presentation Logic layer Logic for generating
dynamic pages for the Administrative Console by using JSPs, Java Servlets, XML, and JavaBeans
Tier 2: Server Tier
The Server tier of Oracle Identity Manager is the interface between the Presentation and Data & Enterprise Integration tiers.
The application server for Oracle Identity Manager: Resides in the Server tier Provides the life-cycle
management, security, deployment, and run-time services to the logical components that support Oracle Identity Manager
Tier 2: Server Tier
The Server tier of Oracle Identity Manager supports: Clustering Load balancing Security management Scheduling
Tier 3: Data & Enterprise Integration Tier The Data & Enterprise
Integration tier of Oracle Identity Manager has two layers: Data Access layer
Layer that has components, which Oracle Identity Manager needs to communicate with its database
Back-end Database layer Layer where the database
resides
Tier 3: Data & Enterprise Integration Tier The Back-end Database
layer leverages the following capabilities: Clustering Standby database Replication
Reconciliation and Provisioning: Overview
Reconciliation is the process by which Oracle Identity Manager receives information from an external resource.
Provisioning is the process by which Oracle Identity Manager sends information to a target resource.
By using reconciliation and provisioning, Oracle Identity Manager can perform the following actions: Create a user record in a resource Modify the privileges that the user has with the
resource Remove the user record from the resource
Reconciliation: Types
There are two types of reconciliation that Oracle Identity Manager performs:
Trusted source reconciliation Targeted resource reconciliation
Reconciliation: Events
Oracle Identity Manager can perform three types of reconciliation events with an external resource:
Reconciliation Insert Reconciliation Update Reconciliation Delete
Provisioning: Types
There are two types of provisioning that Oracle Identity Manager performs:
Day-one provisioning Initial creation of access privileges to
resources for users Removal of these privileges from users
Day-two provisioning Dynamic modification of user privileges with
resources, based on changes to user and business requirements
Trusted Source Reconciliation: Conceptual Diagram Via provisioning and reconciliation, Oracle
Identity Manager can build an accurate picture of the user identities that it manages in both a trusted source and a target resource.
1
Reconciliation flowProvisioning flow
Targetresource
(for example, an Oracle database)
Administrator
End userTrustedsource
(for example, a corporate directory)
Targeted Resource Reconciliation: Conceptual Diagram Via provisioning and reconciliation, Oracle
Identity Manager can build an accurate picture of the user identities it manages in both a trusted source and a target resource. Reconciliation
flowProvisioning flow
2End user Administrator
Trustedsource
(for example, a corporate directory)
Targetresource
(for example, an Oracle database)
Oracle Identity Manager Connector: Overview An Oracle Identity Manager connector is a
container that holds all of the information that Oracle Identity Manager needs to: Reconcile with an external resource Provision a user with a target resource
Oracle Identity Manager Connector: Components A connector must have the following seven
components: IT resource type IT resource Process form Process task adapter Resource object Provisioning process Process task
Constructing an Oracle Identity Manager Connector: Step 1 Create an IT resource type. This record
represents the classification type, parameter fields, and encryption settings that are associated with a resource.IT resource type1
Constructing an Oracle Identity Manager Connector: Step 1 This screenshot illustrates an IT resource type for
an Oracle database. There is a one-to-one relationship between the IT resource type and the connector. That is, each connector should have only one IT resource type.
Constructing an Oracle Identity Manager Connector: Step 2 Define an IT resource. This record contains the
values that Oracle Identity Manager needs to communicate with a resource and access it as a system administrator (for provisioning or reconciliation purposes).
IT resource
IT resource type
2
Constructing an Oracle Identity Manager Connector: Step 2 This screenshot illustrates an IT resource for an
Oracle database. There is a one-to-one relationship between the IT resource and the system, service, or application that it represents. If you have four resources, you would thus have four IT resources.
Constructing an Oracle Identity Manager Connector: Step 3 Create a custom process form. This record is a
central housing mechanism that holds everything that Oracle Identity Manager needs to either provision a user to a target resource or reconcile a user with an external resource.IT resource type
Customprocess
form3
IT resource
Constructing an Oracle Identity Manager Connector: Step 3 This screenshot illustrates a custom process form
for an Oracle database.
Constructing an Oracle Identity Manager Connector: Step 4 Build a process task adapter. This piece of Java
code is used by Oracle Identity Manager to automate the completion of a provisioning process task.
IT resource
IT resource type
Customprocess
formProcess task adapter4
Constructing an Oracle Identity Manager Connector: Step 4 A process task adapter automates the creation of
a user’s account in an Oracle database. There is a one-to-one relationship between the adapter and a process task: each task can be associated with only one adapter.
Constructing an Oracle Identity Manager Connector: Step 5 Define a resource object. This record is a virtual
representation of a resource and contains everything needed to either provision a user to that resource or reconcile a user with it.
IT resource
IT resource type
Resource objectCustomprocess
formProcess task adapter
5
Constructing an Oracle Identity Manager Connector: Step 5 Example of a resource object for an Oracle
database
Constructing an Oracle Identity Manager Connector: Step 6 Create a provisioning process. This record
contains the steps that Oracle Identity Manager must complete to perform provisioning or reconciliation with a particular resource.
IT resource
IT resource type
Resource object
Provisioning processCustomprocess
formProcess task adapter
6
Constructing an Oracle Identity Manager Connector: Step 6
There is a 1-to-1 relationship between a provisioning process and the workflow that it represents. If you have two resource-related workflows, you should have two processes.
Constructing an Oracle Identity Manager Connector: Step 7 Create a process task.
IT resource
IT resource type
Resource object
Provisioning processCustomprocess
formProcess task adapterProcess task 7
Constructing an Oracle Identity Manager Connector: Step 7
Example of a process task that Oracle Identity Manager uses to create a user’s account in an Oracle database
Constructing an Oracle Identity Manager Connector: Step 8 Attach the process task adapter to the process
task.
IT resource
IT resource type
Resource object
Provisioning processCustomprocess
form
Process task adapterProcess task 8
Constructing an Oracle Identity Manager Connector: Step 8
Example of a process task adapter being connected to a process task to create a user’s account in an Oracle database
Connectors List
Collaboration and Messaging Applications: IBM Lotus Notes/Domino Microsoft Exchange Novell GroupWise
Datbase: IBM DB2/UDB Database Microsoft SQL Server Database Oracle Database Sybase ASE Database
Directory Services: Microsoft Active Directory Microsoft Active Directory Password Synchronization Novell eDirectory Oracle Internet Directory Sun Java System Directory
Connectors List
Enterprise Business Applications: JD Edwards EnterpriseOne Oracle e-Business User Management Oracle e-Business Employee Reconciliation Oracle Retail Warehouse Management System PeopleSoft Employee Reconciliation PeopleSoft User Management SAP User Management SAP Employee Reconciliation SAP CUA SAP Enterprise Portal Siebel User Management
Help Desk: BMC Remedy User Management BMC Remedy Ticket Management
Connectors List
Security Applications: CA ACF2 Advanced CA Top Secret Advanced IBM RACF Standard IBM RACF Advanced RSA Authentication Manager
Web Access Control: RSA ClearTrust
Certified Operating Systems
Oracle Identity Manager release 9.1.0.1 is certified for the following operating systems:
■ AIX 5L Version 5.3 (pSeries 64-bit)■ Microsoft Windows Server 2003 R2 (Intel x86 32-bit and EM64T/AMD 64-bit)■ Microsoft Windows Server 2003 R2 (Itanium 64-bit)■ Microsoft Windows Vista Ultimate■ Oracle Enterprise Linux 4 and 5 (Intel x86 32-bit and EM64T/AMD 64-bit)■ Oracle Virtualization Machine - OEL4■ Red Hat Enterprise Linux AS Release 4 and 5 (Intel x86 32-bit and EM64T/AMD64-bit)■ Red Hat Enterprise Linux AS Release 4 (Itanium 64-bit)■ Solaris Operating System 10 (UltraSparc 64-bit)■ HP-UX 11.23 (PA-RISC/Itanium 64-bit)■ SUSE Linux Enterprise 10 (Intel x86 32-bit and EM64T/AMD 64-bit)■ SUSE Linux Enterprise Server 10 (Itanium 64-bit)
Certified Application Servers
Oracle Identity Manager release 9.1.0.1 is certified for the following application servers:
■ Oracle WebLogic Server 10.3■ IBM WebSphere Application Server 6.1.0.19 and later fix packs (that is, 6.1.0.19 and later)■ JBoss Application Server 4.2.3 GA■ Oracle Application Server 10.1.3.3 and later (Upgrade patch 10.1.3.3 applied on top of the base package bundled in Oracle SOA Suite 10g Release 10.1.3.1)
Certified Databases
Oracle Identity Manager release 9.1.0 is certified for the following databases: ■ Oracle Database Deployment- Oracle9i Database Enterprise Edition release 9.2.0.8- Oracle Database 10g Enterprise Edition release 10.1.0.5 and later patch sets (that is, 10.1.0.6 and later) - Oracle Database 10g Standard Edition and Enterprise Edition release
10.2.0.1and later- Oracle Database 11g Standard Edition and Enterprise Edition release
11.1.0.6 and later patch sets
■ Oracle RAC Deployment- Oracle Database 10g Enterprise Edition release 10.2.0.3 and later patch sets- Oracle Database 11g Enterprise Edition release 11.1.0.6 and later patch sets
Oracle Virtual Directory
What is Oracle Virtual Directory ?
Oracle Virtual Directory is an LDAPv3-enabled service that provides virtualized abstraction of one or more enterprise data sources into a single directory view. Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimizing or eliminating the need to change either the infrastructure or the applications.
OVD Supported Software
Supported directories: Oracle Internet Directory Microsoft Active Directory and ADAM Sun Java System Directory Server CA eTrust Directory IBM Tivoli Directory Server Novell eDirectory Siemens DirX
Supported databases: Oracle 9.2.0.7, 10.1.0.5, 10.2.0.2 (Stand-alone and Real
Application Clusters) Microsoft SQL Server IBM DB2
Oracle Virtual Directory Adapters
OVD supports the following types of adapters: Proxy adapters
LDAP proxy adapter Database proxy adapter NT Domain (NTLM) proxy adapter
Storage adapters Local-store adapter
Functional adapters Join view adapter
Custom adapters
LDAP Proxy Adapter
Oracle Virtual Directory
LDAP Database NTLM Local-store Join view Custom
LDAP Adapter: Initial Configuration
LDAP Adapter: Configuration
LDAP Adapter: SSL Configuration
Database Adapter
Oracle Virtual Directory
DatabaseLDAP NTLM Local-store Join view Custom
Database Adapter: Initial Configuration
Database Adapter: Table Mapping
Database Adapter: LDAP Object Mapping
Database Adapter: Configuration
Oracle Enterprise Single Sign-On Suite
What is Oracle Enterprise Single Sign-On Suite ? Enterprise users can enjoy the benefits of single sign-on to all of
their applications, whether they are connected to the corporate network, traveling away from the office, roaming between computers or working at a shared workstation.
Administrators have the flexibility of easily deploying Oracle Enterprise Single Sign-On into their existing infrastructure without change - no integration or large deployment effort.
Oracle Enterprise Single Sign-On is architected to use any LDAP directory, Active Directory or any SQL database server as its user profile and credential repository.
Enterprise Single Sign-On can accept primary authentication directly from the Windows logon, it also works with most industry-leading smart cards, biometrics or token solutions. Confidently delivering stronger password authentication or advanced authentication is simple with Oracle Enterprise Single Sign-On.
Oracle Enterprise Single Sign-On Suite ComponentsOracle Enterprise Single Sign-On Suite is comprised of five components that improve authentication capabilities and deliver efficient access and self-service capabilities for Web and non Web-based applications. These include:
• Oracle Enterprise Single Sign-On Logon Manager – helps increase security and decrease complexity by enabling individuals to securely use the same username and password for their Web-based and legacy applications;
• Oracle Enterprise Single Sign-On Password Reset – can reduce costs by providing organizations the ability to set flexible, custom policies for users to recover lost or forgotten desktop passwords through secure, self-service interfaces;
• Oracle Enterprise Single Sign-On Authentication Manager – strengthens security and helps streamline compliance by allowing organizations to use a combination of tokens, smart cards, biometrics and passwords to control access to their applications throughout the enterprise;
Oracle Enterprise Single Sign-On Suite Components• Oracle Enterprise Single Sign-On Provisioning Gateway –
helps streamline the user provisioning process by allowing organizations to automatically provision diverse accounts through a single identity administration process; and
• Oracle Enterprise Single Sign-On Kiosk Manager – allows individuals to access applications more quickly and securely even at multi-user kiosks and workstations.
Supported Operating Systems
The ESSO-LM components are supported on the following Operating Systems:
Operating System Versions Supported
Microsoft® Windows® 2000 SP4 Microsoft Windows XP Professional SP2 Microsoft Windows Server 2003 SP1 Microsoft Vista Business Edition, v2
